Spam reporting and management in a communication network

ABSTRACT

Systems and methods are disclosed for reporting spam detected in a communication network. Entities in the network detect that an electronic message comprises spam, and generate a spam report for the electronic message. The spam report is in a format that is enhanced with newly-defined fields. A spam center in the network receives the spam reports from the entities, and processes the spam reports to generate spam rules for detecting spam in electronic messages transported over the communication network. The spam center then selectively distributes the spam rules to one or more of the entities of the communication network based on an analysis of the spam reports. The entities may then use the spam rules to detect spam in other electronic messages that are transported over the communication network.

FIELD OF THE INVENTION

The invention is related to the field of communications, and moreparticularly, to reporting spam detected in a communication network.

BACKGROUND

Almost every user of an electronic messaging technology has encounteredspam messages. Spam is the use of electronic messaging systems to sendunsolicited messages indiscriminately to multiple end users. The mostwidely recognized form of spam is email spam, but the term is applied toinstant messaging (IM), SMS, MMS, social networking, and other types ofmessaging.

Some communication networks have a centralized spam agent that tracksspam messages that are transported in the network. End user devices andnetwork nodes (e.g., an email server, SMSC, MMSC) may be programmed toreport spam messages to the centralized spam agent. Standards bodieshave defined formats for the spam reports. For example, the InternetEngineering Task Force (IETF) has defined a Message Abuse ReportingFormat (MARF) for reporting spam to the centralized agent. Similarly,Open Mobile Alliance (OMA) has suggested a format for reporting spam(“Mobile Spam Reporting Technical Specification”;OMA-TS-SpamRep-V1_0-20100601-D).

Unfortunately, present reporting standards for spam are insufficient,and the centralized agent does not adequately protect the network fromspam.

SUMMARY

Embodiments described herein provide improved reporting of spam to acentralized spam center. A reporting format as described herein includesenhanced fields for spam information, such as message protocol, abusetype, abuse detection method, abuse keyword(s), abuse multimediaelement, delivery decision, and timestamps. These additional fieldsprovide the spam center with more information about the spam messagesand how they were detected. The spam center processes the spam reports(with the enhanced reporting format) to generate spam rules that areused to filter electronic messages that are transported over thenetwork. The spam center then distributes the spam rules to messagecenters within the network. The spam rules sent to the message centersare more effective for spam filtering because the spam center had moreand better information to use in generating the spam rules. Thus, spamshould be less of a problem within the network.

One embodiment comprises an entity in a communication network thathandles electronic messages transported over the communication network,such as an end user device or a message center. In handling theelectronic messages, the entity is operable to detect that an electronicmessage comprises spam. This means that the entity has either identifiedthe message as spam or has identified the message is suspected of beingspam. In response to determining that the electronic message comprisesspam, the entity is further operable to generate a spam report for theelectronic message, and to transmit the spam report to a spam center.The spam report is in a format that is enhanced with one or more of thefollowing fields: message type, abuse type, abuse detection method,abuse keyword, abuse multimedia elements, and message delivery decision.

Another embodiment comprises the spam center in the communicationnetwork. The spam center is operable to receive the spam reports fromthe entities of the communication network, and to process the spamreports to generate spam rules for filtering electronic messagestransported over the communication network. The spam center is furtheroperable to selectively distribute the spam rules to one or more of theentities of the communication network based on an analysis of the spamreports. The entities may then use the spam rules to detect spam inother electronic messages that are transported over the communicationnetwork.

Other exemplary embodiments may be described below.

DESCRIPTION OF THE DRAWINGS

Some embodiments of the present invention are now described, by way ofexample only, and with reference to the accompanying drawings. The samereference number represents the same element or the same type of elementon all drawings.

FIG. 1 illustrates a communication network in an exemplary embodiment.

FIG. 2 is a flow chart illustrating a method of reporting spam in anexemplary embodiment.

FIG. 3 is a flow chart illustrating a method of generating spam rules inan exemplary embodiment.

FIG. 4 illustrates a spam center receiving spam reports from entities inan exemplary embodiment.

FIG. 5 illustrates a spam center distributing spam rules to entities inan exemplary embodiment.

DESCRIPTION OF EMBODIMENTS

The figures and the following description illustrate specific exemplaryembodiments of the invention. It will thus be appreciated that thoseskilled in the art will be able to devise various arrangements that,although not explicitly described or shown herein, embody the principlesof the invention and are included within the scope of the invention.Furthermore, any examples described herein are intended to aid inunderstanding the principles of the invention, and are to be construedas being without limitation to such specifically recited examples andconditions. As a result, the invention is not limited to the specificembodiments or examples described below, but by the claims and theirequivalents.

FIG. 1 illustrates a communication network 100 in an exemplaryembodiment. Communication network 100 comprises a packet-switchednetwork that is operable to transport electronic messages. Electronicmessages comprise any type of digital message that is exchanged over anetwork. Some examples of an electronic message are emails, ShortMessage Service (SMS) messages, Multimedia Message Service (MMS)messages, Instant Messages (IM), etc. In this embodiment, communicationnetwork 100 includes a plurality of message centers 110-113. A messagecenter 110-113 comprises any server, router, or other system operable tohandle electronic messages. Some examples of a message center 110-113are a Short Message Service Center (SMSC), a Multimedia Message ServiceCenter (MMSC), an email server, and an Instant Messaging gateway (IMGW). Communication network 100 may include multiple other servers,routers, and other network elements.

Communication network 100 also provides service to a plurality of enduser devices, referred to generally as user agents 120-123. User agents120-123 comprise any devices (wireline or wireless) operated by endusers to send or receive electronic messages. For example, a user agent120-123 may comprise a phone or other device having an SMS application,an MMS application, or an IM application. A user agent 120-123 may alsocomprise a phone, a PC, a laptop, etc., having an email application.Message centers 110-113 and user agents 120-123 are referred togenerally herein as “entities”.

Communication network 100 in FIG. 1 also includes a spam center 130.Spam center 130 comprises any system or server that receives spamreports from entities, and generates spam criteria, rules, algorithms,etc., (referred to herein as “spam rules”) for detecting spam inelectronic messages. For example, the spam rules may indicate whichelectronic messages comprise spam, such as by an originating/terminatingaddress for the message, an originating/terminating domain for themessage, etc. The spam rules may also indicate how to filter electronicmessages that comprise spam, such as block the message, deliver themessage, hold the message, etc.

When in operation, user agents 120-123 transmit and receive electronicmessages over communication network 100. Message centers 110-113 handlethese electronic messages that are exchanged over communication network100. As part of handling the electronic messages, message centers110-113 and/or user agents 120-123 may process the spam rules that aregenerated by spam center 130 to detect electronic messages that areidentified or suspected of comprising spam. Message centers 110-113 anduser agents 120-123 are able to report any identified or suspiciouselectronic messages to spam center 130 in a spam report. FIG. 2 furtherillustrates how user agents 120-123 and/or message centers 110-113report to spam center 130.

FIG. 2 is a flow chart illustrating a method 200 of reporting spam in anexemplary embodiment. The steps of method 200 will be described withreference to network 100 in FIG. 1, but those skilled in the art willappreciate that method 200 may be performed in other networks andsystems. The steps of the flow charts described herein are not allinclusive and may include other steps not shown. The steps may also beperformed in an alternative order.

In step 202, an entity (e.g., message centers 110-113 and/or user agents120-123) in network 100 detects that an electronic message comprisesspam. This means that the entity has either identified the message asspam or has identified the message is suspected of being spam. Theentity may make this determination based on rules and/or policies thatare distributed by spam center 130 (this is further described in FIG.3). In response to detecting that the electronic message comprises spam,the entity generates a spam report for the electronic message in step204. The spam report includes characteristics about the electronicmessage, and characteristics about how the entity determined that theelectronic message comprises spam. For example, the spam report mayindicate where the electronic message came from, where the electronicmessage was being sent, the content of the electronic message (e.g.,keywords), what rules are violated by the electronic message, etc. Instep 206, the entity transmits the spam report to spam center 130.

There are standardized formats for the spam reports which define thefields that are included in the report. For example, the InternetEngineering Task Force (IETF) and the Open Mobile Alliance (OMA) haveeach defined standards for spam reporting. In this embodiment, a spamreport sent by an entity to spam center 130 is enhanced to includenewly-defined fields. According to the enhancements, a report for anelectronic message that comprises spam includes one or more of thefollowing newly-defined fields:

(1) Message ID. The Message ID field is of type “Integer”, and indicatesthe unique identifier for the electronic message. A message ID may befound in the electronic message itself for an incoming message, or maybe created by a message center for an outgoing message.

(2) Message Center ID. The Message Center ID field is of type “Integer”,and indicates the unique identifier for a message center which sent thespam report.

(3) Message Type. The Message Type field is of type “Enumerated”, andindicates the type of electronic message. Examples of a type ofelectronic message include email, SMS, MMS, and IM.

(4) Message Protocol ID. The Message Protocol ID field is of type“Enumerated”, and indicates the message protocol used by a messagecenter for transporting the electronic message. Examples of a messageprotocol are: SMTP, SMPP, 3GPP MAP, 3GPP SIP, 3GPP2 SIP, and ANSI SMDPP.

(5) Message Teleservice ID. The Message Teleservice ID field is of type“String”, and indicates the message teleservice identifier or servicetype. For example, in SMS, the teleservice ID could be WPT (WirelessPaging Teleservice), WMT (Wireless Messaging Teleservice), VMN(Voicemail Notification), WAP, WEMT (Wireless Enhanced MessagingTeleservice), etc.

(6) Message Language Indicator. The Message Language Indicator field isof type “Integer”, and indicates the language used in the electronicmessage. Examples of the language are English, French, Spanish, Italian,etc.

(7) Message Segment Indicator. The Message Segment Indicator field is oftype “Integer”, and indicates the message segment(s) that are identifiedas spam. When an electronic message exceeds a length defined in theprotocol (e.g., 160 characters in SMS), an entity sending the electronicmessage may break down the whole electronic message into multiplesegments. Each segment is within the allowed length of the protocol. Theentity indicates the sequence of segments so that the receiving entitymay re-assemble the whole electronic message together and display as onemessage. For spam detection, one of segments may be identified as aspam, while the rest segments are not. This field indicates whichmessage segment or segments is identified as spam.

(8) Message Data Encoding. The Message Data Encoding field is of type“String”, and indicates the user data encoding schemes used in theelectronic message. There are many different data encoding schemes usedfor electronic message. For example, SMS has ASCII, GSM defaultalphabet, Octet Unspecified, USC (UNICODE), etc.

(9) Message User Data. The Message User Data field is of type“UTF8String”, and includes the user data (payload content) or a subsetof the user data from the original electronic message.

(10) Originating Domain. The Originating Domain field is of type“String”, and indicates the domain name of the originating network forthe electronic message.

(11) Originating Address Type. The Originating Address Type field is oftype “Enumerated”, and indicates the address type for the originator ofthe electronic message. Examples of the address type include an IPaddress, a mobile number (MSISDN, IMSI), an email address, etc.

(12) Originating Address. The Originating Address field is of type“String”, and indicates the address for the originator of the electronicmessage.

(13) Terminating Domain. The Terminating Domain field is of type“String”, and indicates the domain name of the terminating network forthe electronic message.

(14) Termination Address Type. The Terminating Address Type field is oftype “Enumerated”, and indicates the address type for thedestination/recipient of the electronic message.

(15) Termination Address. The Terminating Address field is of type“String”, and indicates the address for the destination/recipient of theelectronic message.

(16) Abuse Type. The Abuse Type field is of type “Enumerated”, andindicates the type of abuse found or suspected for the electronicmessage. Examples of abuse type include spam (or not spam), phishing,spoofing, fake sender address, unauthorized sender/recipient, suspiciousnetwork/domain, message flooding, denial of service attack, malware(e.g., virus/spyware), and unauthorized message (violation of a securitypolicy).

(17) Abuse Detected Method. The Abuse Detected Method field is of type“Enumerated”, and indicates how the abuse was detected by the entity forthe electronic message. Examples of how to detect abuse includewhite/black list, forbidden network domain/address screening, forbiddenapplication entity screening, spam keywords match, spam multimediamatch, spam pattern match, volume threshold per sender match, and volumethreshold per sending network/domain match.

(18) Abuse Keyword. The Abuse Keyword field is of type “String”, andindicates the keywords detected by an entity for the electronic message.The content of this field may be a single word, multiple words, aphrase, a short sentence, etc.

(19) Abuse Multimedia Element. The Abuse Multimedia Element field is oftype “UTF8String”, and indicates the abuse multimedia element detectedby a message center. Some messaging protocols allow for multimediaelements to be embedded in the message, such as music melody, ringtones, pictures, animation, etc. This field indicates the multimediaelement detected in the message.

(20) Message Delivery Decision. The Message Delivery Decision field isof type “Enumerated”, and indicates how a message center filtered theelectronic message (if applicable). Examples of a delivery decisioninclude delivered, rejected with notification, dropped silently, and onhold for instruction.

(21) Message Received Timestamp. The Message Received Timestamp field isof type “Time”, and indicates the time in which the electronic messagewas received or created at an entity.

(22) Message Delivered Timestamp. The Message Delivered Timestamp fieldis of type “Time”, and indicates the time in which the electronicmessage was delivered to an entity.

(23) Message Blocked Timestamp. The Message Blocked Timestamp field isof type “Time”, and indicates the time in which the electronic messagewas rejected or dropped silently at the message center.

As entities in network 100 handle electronic messages over a period oftime, many entities may provide spam reports to spam center 130 usingthe enhanced format. Spam center 130 may then process the spam reportsto generate new spam rules/policies for network 100.

FIG. 3 is a flow chart illustrating a method 300 of generating spamrules in an exemplary embodiment. The steps of method 300 will bedescribed with reference to spam center 130 in FIG. 1, but those skilledin the art will appreciate that method 300 may be performed in othernetworks and systems.

In step 302, spam center 130 receives the spam report(s) from one ormore entities (e.g., message centers 110-113 and user agents 120-123) ofnetwork 100. FIG. 4 illustrates spam center 130 receiving spam reportsfrom entities in an exemplary embodiment. Again, the spam reports are inthe enhanced format described above. In step 304, spam center 130processes, compiles, and/or analyzes the spam report(s) from theentities of network 100 to generate new spam rules (also referred to asa new spam policy) for communication network 100. The spam rules areused to instruct entities how to identify spam and/or how to filterelectronic messages that comprise spam. For example, the spam rules mayindicate a source of a spam message (e.g., an originatingaddress/originating domain), a message protocol for a spam message, akeyword(s) for a spam message, etc. The spam rules may further indicatea filtering time window that defines a time period that the spam rulesare valid.

In step 306, spam center 130 selectively distributes the spam rules toone or more of the entities. FIG. 5 illustrates spam center 130distributing spam rules to entities in an exemplary embodiment. In theexample shown in FIG. 5, spam center 130 sends the spam rules to messagecenters 110-111. However, spam center 130 may send the spam rules tomultiple other entities in other embodiments.

In order to “selectively” distribute the spam rules to the entities,spam center 130 analyses the spam reports received from the entities.The analysis includes processing one or more of the fields of thereports to determine which entities are applicable to the new spamrules. When the applicable entities are identified based on the spamreport they submitted, spam center 130 may selectively distribute thespam rules to these applicable entities. The applicability of aparticular entity may depend on the spam rules that were generated. Forexample, if the spam rules apply to SMS, then spam center 130 maydetermine that only SMSCs are applicable. If the spam rules apply tomultimedia content, then spam center 130 may determine that only MMSCsand email servers are applicable. Regardless, spam center 130 uses theinformation submitted in the spam reports from the entities to determinewhere to distribute spam rules that is generates.

In one embodiment, spam center 130 may distribute the new spam rulesbased on message type. To do so, spam center 130 may analyze the messagetype (and possibly the protocol ID) in the spam report(s), and identifythe entities that handle electronic messages of this particular messagetype. For instance, if the message type is SMS, then spam center 130 mayidentify the entities in network 100 that handle SMS messages. Spamcenter 130 may then selectively distribute the spam rules to theentities identified for handling this particular type of message. Thespam rules may also be distributed to entities of different messagetypes. For example, if a spam email is identified with a forbiddenforeign network domain, then spam center 130 may generate spam rules forthis foreign network domain, and distribute the spam rules to SMSCs andMMSCs in communication network 100 in addition to email servers incommunication network 100.

In another embodiment, spam center 130 may additionally or alternativelydistribute the new spam rules based on an abuse type. For example, spamcenter 130 may analyze the abuse type (and possibly the protocol ID) inthe spam report(s), and identify the entities that detected a particularabuse type or are susceptible of this particular abuse type. Spam center130 may then selectively distribute the spam rules to these identifiedentities.

In another embodiment, spam center 130 may additionally or alternativelydistribute the new spam rules based on a particular originatingaddress/domain. For example, spam center 130 may analyze the originatingaddress and/or originating domain in the spam report(s), and identifythe entities that handle electronic messages from this originatingaddress/domain. For instance, if the originating domain is a foreigndomain, then spam center 130 may identify the entities in network 100that potentially receive electronic messages from this foreign domain.Spam center 130 may then selectively distribute the spam rules to theseidentified entities.

There may be many other factors that contribute to the decision of whereto distribute a new set of spam rules, such as language, abuse detectedmethod, terminating domain, etc. Virtually any of the new fields in thespam reports may be used alone or in combination in the decision ofwhere to distribute the new set of spam rules. Spam center 130 may alsodistribute the new spam rules to each of the entities in communicationnetwork 100, if it determines the new spam rules are useful to each ofthe entities in preventing spam attacks. Thus, the new spam rules wouldbe broadcast network-wide.

When an entity, such as message center 110, receives the new spam rulesfrom spam center 130, it processes the new spam rules when handlingelectronic messages to detect spam. If message center 110 detects spambased on the new spam rules, then message center 110 again generates aspam report using the format described above. Message center 110 mayalso indicate the spam rules that were used in detecting the spammessage, such as by a rules or policy ID. Each of the entities thatreceive the new spam rules operates in a similar fashion to report spamto spam center 130. The process then repeats with spam center 130generating new spam rules based on the new report(s).

One advantage in the above embodiments is that the new format for thespam reports provides much more information about a spam message. Spamcenter 130 is able to use the additional information in defining the newspam rules and in selectively distributing the new spam rules to theentities. This allows the entities to most effectively detect spam inthe electronic messages that are transported over network 100, andfiltering the spam accordingly.

Any of the various elements shown in the figures or described herein maybe implemented as hardware, software, firmware, or some combination ofthese. For example, an element may be implemented as dedicated hardware.Dedicated hardware elements may be referred to as “processors”,“controllers”, or some similar terminology. When provided by aprocessor, the functions may be provided by a single dedicatedprocessor, by a single shared processor, or by a plurality of individualprocessors, some of which may be shared. Moreover, explicit use of theterm “processor” or “controller” should not be construed to referexclusively to hardware capable of executing software, and mayimplicitly include, without limitation, digital signal processor (DSP)hardware, a network processor, application specific integrated circuit(ASIC) or other circuitry, field programmable gate array (FPGA), readonly memory (ROM) for storing software, random access memory (RAM), nonvolatile storage, logic, or some other physical hardware component ormodule.

Also, an element may be implemented as instructions executable by aprocessor or a computer to perform the functions of the element. Someexamples of instructions are software, program code, and firmware. Theinstructions are operational when executed by the processor to directthe processor to perform the functions of the element. The instructionsmay be stored on storage devices that are readable by the processor.Some examples of the storage devices are digital or solid-statememories, magnetic storage media such as a magnetic disks and magnetictapes, hard drives, or optically readable digital data storage media.

Although specific embodiments were described herein, the scope of theinvention is not limited to those specific embodiments. The scope of theinvention is defined by the following claims and any equivalentsthereof.

We claim:
 1. A method performed in a spam center of a communicationnetwork, the method comprising: receiving spam reports in the spamcenter from entities of the communication network that detect spam inelectronic messages transported over the communication network; whereinspam reports are each formatted with report fields comprising: an abusetype field indicating a type of abuse found in an electronic message, anabuse detected method field indicating a screening method used by anentity for detecting the abuse for the electronic message, an abusekeyword field indicating keywords detected by the entity in theelectronic message, and a message delivery decision field indicating howthe entity filtered the electronic message; processing the spam reportsin the spam center; generating new spam rules for detecting spam inelectronic messages transported over the communication network;analyzing the report fields of the spam reports to identify at least oneof the entities that detected a particular abuse keyword indicated inthe abuse keyword field, rendering the at least one of the entitiesapplicable to the new spam rules; and selectively distributing the newspam rules from the spam center to the identified one or more entitiesbased on the analysis of the report fields in the spam reports.
 2. Themethod of claim 1 wherein: the spam reports from the entities arefurther formatted with an abuse multimedia element field indicatingwhether a multimedia element is detected in the electronic message bythe entity as associated with the abuse.
 3. The method of claim 1wherein selectively distributing the new spam rules comprises:identifying entities that handle electronic messages of a particularmessage type based on the spam reports; and selectively distributing thenew spam rules from the spam center to the identified entities based onthe message type.
 4. The method of claim 3 wherein the message typeincludes one of: email, Short Message Service (SMS), Multimedia MessageService (MMS), and Instant Messaging.
 5. The method of claim 1 whereinselectively distributing the new spam rules comprises: identifyingentities that handle electronic messages from a particular originatingaddress/domain based on the spam reports; and selectively distributingthe new spam rules from the spam center to the identified entities basedon the originating address/domain.
 6. The method of claim 1 wherein: thenew spam rules indicate a time period during which the new spam rulesare valid.
 7. A system comprising: a spam center of a communicationnetwork, the spam center having a computer processor configured toreceive spam reports from entities of the communication network thatdetect spam in electronic messages transported over the communicationnetwork; wherein the spam reports are each formatted with report fieldscomprising: an abuse type field indicating a type of abuse found in anelectronic message, an abuse detected method field indicating ascreening method used by an entity for detecting the abuse for theelectronic message, an abuse keyword field indicating keywords detectedby the entity in the electronic message, and a message delivery decisionfield indicating how the entity filtered the electronic message; thespam center is further configured to: process the spam reports, generatenew spam rules for detecting spam in electronic messages transportedover the communication network, analyze the report fields in the spamreports to identify at least one of the entities that detected aparticular abuse keyword indicated in the abuse keyword field, renderingthe at least one of the entities applicable to the new spam rules, andselectively distribute the new spam rules to the identified one or moreentities based on the analysis of the report fields in the spam reports.8. The system of claim 7 wherein: the spam reports from the entities arefurther formatted with an abuse multimedia element field indicatingwhether a multimedia element is detected in the electronic message bythe entity as associated with the abuse.
 9. The system of claim 7wherein: the spam center is further configured to identify entities thathandle electronic messages of a particular message type based on thespam reports, and to selectively distribute the new spam rules to theidentified entities based on the message type.
 10. The system of claim 9wherein the message type includes one of: email, Short Message Service(SMS), Multimedia Message Service (MMS), and Instant Messaging.
 11. Thesystem of claim 7 wherein: the spam center is further configured toidentify entities that handle electronic messages from a particularoriginating address/domain based on the spam reports, and to selectivelydistribute the new spam rules to the identified entities based on theoriginating address/domain.
 12. The system of claim 7 wherein: the newspam rules indicate a time period during which the new spam rules arevalid.
 13. A network comprising: a plurality of entities that detectspam in electronic messages transported over the network, and generatespam reports for the electronic messages; wherein each entity generatesa spam report that is formatted with report fields comprising: an abusetype field indicating a type of abuse found in an electronic message, anabuse detected method field indicating a screening method used by theentity for detecting the abuse for the electronic message, an abusekeyword field indicating keywords detected by the entity in theelectronic message, and a message delivery decision field indicating howthe entity filtered the electronic message; and a spam center having acomputer processor that: receives the spam reports from the plurality ofentities, processes the spam reports, generates new spam rules fordetecting spam in electronic messages transported over the network,analyzes the report fields of the spam reports to identify at least oneof the entities that detected a particular abuse keyword indicated inthe abuse keyword field, rendering the at least one of the entitiesapplicable to the new spam rules, and selectively distributes the newspam rules to the identified one or more entities based on the analysisof the report fields in the spam reports.
 14. The network of claim 13wherein: the spam center identifies entities that handle electronicmessages of a particular message type based on the spam reports, andselectively distributes the new spam rules to the identified entitiesbased on the message type.
 15. The network of claim 14 wherein themessage type includes one of: email, Short Message Service (SMS),Multimedia Message Service (MMS), and Instant Messaging.
 16. The networkof claim 13 wherein: the spam center identifies entities that handleelectronic messages from a particular originating address/domain basedon the spam reports, and selectively distributes the new spam rules tothe identified entities based on the originating address/domain.
 17. Thenetwork of claim 13 wherein: the identified one or more entities thatreceive the new spam rules comprise message centers in the network thathandle electronic messages.